| Table of Contents |
|---|
...
Okapi doesn't protect the edge-* modules, edge-* modules that might be affected need to upgrade to log4j 2.17.0.
Hot-fix preview
Sysops that don't want to wait for the official hot-fix release can install the module versions of the platform-complete branch:
- https://github.com/folio-org/platform-complete/blob/R1-2021/install.json for Iris (R1-2021)
- https://github.com/folio-org/platform-complete/blob/R2-2021/install.json for Juniper (R2-2021)
- https://github.com/folio-org/platform-complete/blob/R3-2021/install.json for Kiwi (R3-2021)
Configuration variables for back-end modules
Many back-end modules are affected by the Log4Shell issue, until new jar files and new docker containers with a fixed version are ready the existing back-end modules should be reconfigured with an environment variable that disables the flaw for most cases in log4j:
LOG4J_FORMAT_MSG_NO_LOOKUPS=true- Append
-Dlog4j2.formatMsgNoLookups=trueto theJAVA_OPTIONSvariable
Pick one of the two options.
Example for the second option: If the existing configuration has JAVA_OPTIONS="-XX:MaxRAMPercentage=66.0" then the new configuration should beJAVA_OPTIONS="-XX:MaxRAMPercentage=66.0 -Dlog4j2.formatMsgNoLookups=true"
SQL query to do this, posted by Lucy Menon on #sys-ops Slack channel, assuming that all modules in use already have a JAVA_OPTIONS env entry:
...
Not completely. It only limits exposure while leaving some attack vectors open. Using the configuration variables is a temporary measure for the time until patched FOLIO modules are available. Please upgrade to patched modules as soon as possible.
From: https://logging.apache.org/log4j/2.x/security.html
History
Older (discredited) mitigation measures
...
No, updating to log4j >= 2.16.0 is sufficient. LOG4J_FORMAT_MSG_NO_LOOKUPS=true or -Dlog4j2.formatMsgNoLookups=true should only be used by sysops for unpatched modules as a temporary fix. Don't add them to the ModuleDescriptors or LaunchDescriptors a module ships with. For details see section "Is using configuration variables secure?" above.
...